Privacy Policy
Effective date: [DD Month YYYY when published]
Last updated: [DD Month YYYY]
1. Who we are
NightDraft is a software product operated by Freddie Chambers ("NightDraft", "we", "us", "our"). NightDraft helps restaurant owners draft replies to inbound booking enquiries in their own voice. We are based in the United Kingdom and accessible at nightdraft.com.
Contact for privacy questions: privacy@nightdraft.com
Contact for security issues: security@nightdraft.com
2. What this policy covers
This policy explains how NightDraft handles data when a restaurant owner connects their Google account to NightDraft. It covers:
- The data we receive from Google APIs (Gmail content)
- How that data is used to draft replies
- How long we keep it
- Who can access it
- How an owner can delete it
It does not cover anything done outside the NightDraft application.
3. The Google data we access
When a restaurant owner authorises NightDraft, we request exactly two OAuth scopes from Google:
https://www.googleapis.com/auth/gmail.readonly(classified by Google as a restricted scope) - lets NightDraft read the body of inbound emails in the connected mailbox so it can identify booking enquiries and extract context for the draft replyhttps://www.googleapis.com/auth/gmail.drafts.create(classified by Google as a sensitive scope) - lets NightDraft create a draft reply in the connected mailbox's Drafts folder, attached to the original thread, for the owner to review and send
We do not request gmail.send, gmail.modify, gmail.compose, or mail.google.com. We cannot send messages from a connected account. We cannot delete or modify messages other than drafts we have created. We cannot change account settings.
4. Limited Use - Google API Services User Data Policy
NightDraft's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.
In practice this means:
- We only use the Gmail data we receive to provide the user-facing feature the owner authorised (drafting replies to booking enquiries in their voice)
- We do not transfer Google user data to third parties except as necessary to provide and improve the feature the owner authorised, or to comply with applicable law, or as part of a merger, acquisition, or sale of assets where the new owner is bound by this same policy
- We do not use Google user data for advertising purposes
- We do not allow humans to read Google user data except (a) with the owner's explicit consent for specific messages, (b) for security reasons (debugging an issue affecting their account, with the owner's consent), (c) to comply with applicable law, or (d) for internal operations where data is aggregated and anonymised
- We do not use Google user data to develop, improve, or train generalised or general-purpose AI or machine-learning models
5. The exact data path
When a booking enquiry arrives at a connected mailbox:
- Read. NightDraft fetches the message body via the Gmail API using the
gmail.readonlyscope - Process transiently. The message body is sent to an AI provider (currently Anthropic's Claude API) along with the restaurant's playbook so a draft reply can be composed. This is a transient API call; the message is not stored on Anthropic's side beyond the duration of the API call
- Draft. NightDraft creates a draft reply in the connected mailbox's Drafts folder, attached to the original thread, using the
gmail.drafts.createscope - Owner review. The owner opens their Gmail Drafts folder, reads the draft, edits it freely, and sends it themselves. NightDraft has no send capability
- Retain only the operational record. NightDraft retains, for up to 14 days, a copy of the inbound message body, the generated draft, the owner's final sent message (for the learning loop that improves draft quality over time), and operational metadata (sender domain, timestamps, scope usage logs). After 14 days these are deleted, with the exception of aggregated and anonymised statistics described in section 6.
6. Retention
| Data | Retention | Purpose |
|---|---|---|
| Message bodies of inbound enquiries | 14 days | Generate the draft, capture the edit-log for quality improvement, audit any disputes |
| Generated draft bodies | 14 days | Edit-log comparison against what the owner actually sent |
| Owner's sent message bodies (where we can read them) | 14 days | Edit-log comparison |
| Operational metadata (sender domain, timestamps, scope usage) | 90 days | Debugging, security audit, dispute resolution |
| Aggregated and anonymised quality statistics | Indefinitely | Improving the playbook; never traceable to an individual diner or email |
| OAuth tokens | Until the owner revokes consent or NightDraft is uninstalled | Maintaining the connection |
We will reduce these windows on request. We will delete any specific item on request (see section 9).
7. AI usage disclosure
NightDraft uses Anthropic's Claude API to draft replies. We send the following to Anthropic for each draft:
- The booking enquiry's message body
- The restaurant's playbook (voice templates, pricing language, cancellation policy)
- A system prompt describing the desired output format
Anthropic processes this transiently to generate the draft. Per Anthropic's API terms, inputs are not used to train Anthropic's models and are not retained beyond the duration of the API call (Anthropic logs metadata for abuse prevention for 30 days, but not the prompt content).
NightDraft does not train any AI or machine-learning model on customer Gmail data. Aggregated and anonymised quality statistics (see section 6) inform manual updates to the playbook, but never feed into model training.
8. Sub-processors
| Sub-processor | Purpose | Data shared |
|---|---|---|
| Google (Gmail API) | Source of inbound mail; destination for drafts | Authorised by the owner |
| Anthropic (Claude API) | Draft generation | Message body + playbook, transient |
| Vercel (hosting) | NightDraft homepage and policy hosting | None - no Gmail data |
| Supabase (database, planned) | Storing operational records (post v0.5) | Operational metadata + 14-day data per section 6 |
This list will be updated as the product evolves. Material changes will be announced to current customers via email.
9. Owner rights
The owner of a connected mailbox can:
- Revoke consent at any time from their Google Account at myaccount.google.com/permissions. NightDraft loses access immediately. Existing stored data is deleted within 30 days.
- Request deletion of specific items by emailing privacy@nightdraft.com. We respond within 7 days.
- Request export of stored data by emailing privacy@nightdraft.com.
- Receive a copy of edit-log entries we have stored about their drafts on request.
Diners whose emails are read (the senders of the inbound enquiries) do not have a direct relationship with NightDraft, but if they email privacy@nightdraft.com requesting deletion of an item about them, we will action that within 7 days.
10. Security
- All Gmail data is transmitted over HTTPS (TLS 1.2 or higher)
- All Gmail data at rest is encrypted (AES-256)
- OAuth tokens are stored encrypted, with access restricted to NightDraft operational scripts
- Production systems use Content Security Policy and HTTP Strict Transport Security headers
- NightDraft runs on Apple hardware in the United Kingdom (Mac Mini) and Vercel cloud infrastructure in the European Union
- Security issues can be reported to security@nightdraft.com
11. Children's data
NightDraft is a B2B product. We do not knowingly process data of children under 16. If you believe we have, contact privacy@nightdraft.com.
12. International transfers
Gmail content may be transferred between the United Kingdom (where NightDraft runs) and the United States (where Anthropic's API is hosted). These transfers are covered by the EU-US Data Privacy Framework and the UK Extension to that framework. The Anthropic API call is transient; no persistent storage occurs in the United States.
13. Changes to this policy
We will announce material changes by email to current customers at least 30 days before they take effect. Cosmetic changes (typo fixes, link updates) may be made without notice. The current version is always at nightdraft.com/privacy with a "Last updated" date at the top.
14. Complaints
If you believe NightDraft has mishandled Gmail data, please email privacy@nightdraft.com first so we can investigate. If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.
15. Contact
NightDraft
[postal address - to be added when business address registered]
United Kingdom
Email: privacy@nightdraft.com (privacy)
Email: security@nightdraft.com (security)
Email: hello@nightdraft.com (general)